I've made a "vault" web app in PHP for storing passwords, credit card numbers, etc. It's mostly just for myself, but I'm practicing building it with multiple users in mind. I use two way encryption to secure the data, and want the user to login using their key (vs both a password to login AND a key for their data.)

I initially stored the username in plaintext, and the key/password one way encrypted with a salt. My first concern is that if someone had access to the SQL data, they'd probably have access to my code (my salt and encryption method) making shorter work of revealing the password, then being able to access the two way encrypted data with it.

I also didn't like the username sitting there in plaintext...that's half the login info right there.

2 Answers
2

First of all, don't worry about the username. The username is supposed to be public information — if it wasn't, it wouldn't be a username, it would be a password. Just assume that an attacker will be able to find out the username(s) in any case, and design your system to be secure with that assumption.

Second, don't worry about the encryption (or hashing etc.) method being public, either. That's Kerckhoff's principle — the encryption method should be treated as public, the only thing that needs to be secret should be the key (or password, in this case).

There are many good reasons for this, not the least being that it allows you to publish how the system works (and thus convince your users that it's secure, or to ask for help from security experts, or to just use an existing standard system designed and analyzed by such experts) without compromising its security.

Third, don't worry about the salt either. The salt should also be treated as (potentially) public knowledge. Its purpose is not to provide any additional secrecy, but to protect against attacks using precompiled hash tables by ensuring that every user's password is hashed in a different way, even if the actual passwords happen to be the same.

OK, so what should you do, then?

Well, first of all, you should use a secure key derivation function that implements key stretching (and salting, of course) to derive the user's encryption key from their password. PBKDF2 should do nicely for that, although e.g. scrypt might be even better if you have it available.

Second, you obviously should not use the encryption key as the password hash. In fact, you shouldn't store anything in your database that could be used to obtain the encryption key without knowing the password. (For instance, the encryption key should not be a hash of the password hash.)

One thing you could do is derive both the encryption key and the password hash separately from the password using PBKDF2, but that would be kind of inefficient, since PBKDF2 is deliberately slow. Instead, you could derive the encryption key from the password with PBKDF2, and then use a normal cryptographic hash (e.g. SHA-256) of the key as the password hash for logging in. (Or, if you want to be extra careful, derive both the encryption key and the password hash from an intermediate key derived from the password using PBKDF2.)

Finally, to make changing the password easy, don't directly encrypt files with the user's encryption key. Instead, for each file, create a random file key, encrypt the file with the file key and encrypt the file key with the user's encryption key. That way, when the user wants to change their password, you only need to re-encrypt the file keys.

Can you clarify your, "Second, you obviously should not use the encryption key as the password hash."? Do you mean I should not use the password hash to encrypt my data?
–
sudopeopleOct 30 '12 at 23:39

Same difference. The point is, you need to derive two values from the password: an encryption key to en/decrypt the data, and an authentication key that you save in your user database and compare against the derive value to see if the password is correct. Both of these should be derived from the password using PBKDF2 (or equivalent), but they should not be the same -- otherwise anyone with access to your user database would be able to decrypt every user's files. For the same reason, deriving the encryption key from the authentication key would be a bad idea, but the other way should be OK.
–
Ilmari KaronenOct 31 '12 at 0:22

OK, so my initial setup was the right concept but I learned that using a KDF is much more secure. Your unique key per file idea is really awesome, but I'm not encrypting files, just a single column in a db, so changing passwords would be about the same in effect. Overall I learned a ton and I now feel confident in this approach. Thanks very much!
–
sudopeopleOct 31 '12 at 15:50

Those documents should prove helpful but in regards to What is the best practice for logging in... I don't think there is an easy straight forward answer on that. I am also not a security expert, hopefully someone who knows more is willing to step in and give you advice on that.

"You want Salt With That?" was a pretty good read. It reinforced some of my concerns about my system. ie, which parts can be leaked, and which ones are useful to an attacker. Manly, reminding me that I need the max depth of defense, because I know enough about security to know the data should be secure even if the attacker knows everything there is to know about the algorithm.
–
sudopeopleOct 30 '12 at 22:48

It also reminded me that salts should be unique. I already know this about IV's but forgot the obvious here.
–
sudopeopleOct 30 '12 at 22:51

1

@sudopeople A static salt can be used in conjunction with a dynamic salt, but it is known as Pepper
–
Scott ChamberlainOct 31 '12 at 20:35